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Abstract 



It had been widely claimed that quantum mechanics can protect private in- 
formation during public decision in for example the so-called two-party secure 



computation. If this were the case, quantum smart-cards could prevent fake 
teller machines from learning the PIN (Personal Identification Number) from 
the customers' input. Although such optimism has been challenged by the 
recent surprising discovery of the insecurity of the so-called quantum bit com- 
mitment, the security of quantum two-party computation itself remains un- 
addressed. Here I answer this question directly by showing that all one-sided 
two-party computations (which allow only one of the two parties to learn 
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the result) are necessarily insecure. As corollaries to my results, quantum 

one-way oblivious password identification and the so-called quantum one-out- 

of-two oblivious transfer are impossible. I also construct a class of functions 

that cannot be computed securely in any two-sided two-party computation. 

Nevertheless, quantum cryptography remains useful in key distribution and 

can still provide partial security in "quantum money" proposed by Wiesner. 
PACS Numbers: 03.65.Bz, 89.70.+C, 89.80.+h 
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I. INTRODUCTION 



Copying of an unknown quantum state (by for example an eavesdropper) is strictly for- 
bidden by the linearity of quantum mechanics . Consequently, quantum cryptography[| (or 
more precisely quantum key distribution 0-0) allows two users to share a common random 
secret string of information which can then be used to make their subsequent communica- 
tions totally unintelligible to an eavesdropper. In this paper I am, however, concerned with 
another class of applications of quantum cryptography — the protection of private informa- 
tion during public decision For instance, two millionaires may be interested in knowing 
who is richer but neither wishes to disclose the precise amount of money that he/she has. 
More generally, in a one-sided two-party computation, Alice has a private input i and Bob 
a private input j. Alice would like to help Bob to compute a prescribed function f(i,j) 
without revealing anything about i more than what is logically necessary. (For a precise def- 
inition of a one-sided two-party computation, see Section 2.) In classical cryptography, such 
two-party computations can be made secure only either 1) through trusted intermediaries 
or 2) by accepting some unproven computational assumptions.^ The impossibility of uncon- 
ditionally secure two-party computation in classical cryptography had led to much interest 
in quantum cryptographic protocols BJ5|,|iT]-|T8|| which are supposed to be unconditionally 
secure [HHTB . 



1 Quantum Cryptography was first proposed by Wiesner Q in about 1970 in a manuscript that 
remained unpublished until 1983. 

2 In the first case, if both Alice and Bob trust Charles, they simply tell him their private inputs 
and let Charles perform the computation on their behalf and tell them the result afterwards. The 
problem here is that Charles can cheat by telling either Alice or Bob the other party's private 
input. In the second case, assumptions such as the hardness of factoring can be used. However, 
an adversary with unlimited computing power (or with a quantum computer [[h|) can defeat such 
unproven computational assumptions. 
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An important primitive in secure computation is the so-called bit commitment .0 The 
optimism in unconditional secure quantum two-party computation was largely contributed 
by well-known claims of unconditional secure quantum bit commitment protocols JIB] (and 



also oblivious transfer ||i~T| , |i~8f ) . However, such optimism has recently been put into serious 
question due to the surprising demonstration of the insecurity of quantum bit commitment 
(against an EPR-type of attack with delayed measurements) by Mayers |20|j2l[| and also 



by Chau and me |22| , |23|1 . Yet an important question remains: Other than quantum key 
distribution, can quantum cryptographic protocols, in particular, two-party computation, 
be unconditionally secure at all? This is an important question because, in many cases, 
quantum bit commitment might be thought of as a means to an end — two party secure 
computation. If secure quantum two-party computation is possible, many applications of 
quantum cryptography, such as the prevention of frauds due to typing PIN (Personal Iden- 
tification Number) to dishonest teller machine mentioned in the abstract, will still survive. 

Amazingly, one possible viewpoint to take is that there is really nothing to prove because 
the standard reduction theorems fliT|p3| , Po]| ^ in classical cryptography immediately imply 



that quantum one-sided two-party computation is impossible: In classical cryptography, an 
example of one-sided two party computation is one-out-of-two oblivious transfer, which can 
be used to implement bit commitment. If bit commitment is impossible, one-sided two-party 



5 The basic idea of bit commitment is to conceal information and to reveal it later. It might 



be useful to note that Yao [18| has shown that any secure quantum bit commitment scheme can 



be used to implement secure quantum oblivious transfer whereas Kilian [19| has shown that, in 
classical cryptography, oblivious transfer can be used to implement two-party secure computation. 
Therefore, this chain of argument appears to suggest that, with quantum bit commitment, quantum 
cryptography could achieve unconditionally secure two-party computation, thus solving a long 
standing problem in cryptography. 
4 I thank G. Brassard for helpful discussions about those standard reduction theorems. 
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computations must also generally be impossible. Doubt has been expressed in the literature 
concerning the validity of this standard reduction in a quantum model ||. Here I argue 
that by definition the standard reduction must apply to quantum cryptographic protocols: 
Bit commitment, oblivious transfer and two-party computations are classical concepts whose 
security requirements are defined in a classical probabilistic language. If there is any sense at 
all in saying that a quantum protocol can achieve say two-party computation, it is a matter 
of definition that the quantum protocol has to satisfy the classical probabilistic security 
requirements under all circumstances. In particular, one must be allowed to use a quantum 
cryptographic protocol as a "black box" primitive in building up more sophisticated protocols 
and to analyze the security of those new protocols with classical probability theory^ 

By adopting this new and, in my opinion, more accurate definition of secure quantum 
protocols, one sees that the impossibility of quantum bit commitment immediately implies 
the impossibility of quantum one-sided two-party computations (and one-out-of-two oblivi- 
ous transfer as well as oblivious transfer) and this is the end of the story. 

Yet such an ending is disappointing in two aspects. While such a viewpoint is conceptu- 
ally correct, it is a bit formal and non-constructive. A constructive proof would make things 
more transparent and convincing. A perhaps more serious objection is that while such an 
argument rules out one-out-of-two oblivious transfer and the two-party computation of a 
general function, there remains the possibility that some special class of functions (whose 

5 One may get the feeling from reading the literature that a quantum protocol should be regarded 
as secure if it appears to satisfy its security requirements when it is executed only once and in 
isolation. This, however, does not guarantee that it satisfies the security requirements when it is 
used as a subroutine of a larger routine because a cheater might defeat the security of the larger 
routine by performing coherent measurements. Therefore, I think that a more accurate definition 
of a secure quantum protocol should be much more stringent. 
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two-party computations cannot be used to implement one-out-of-two oblivious transfer^) 
might still be computed securely in one-sided two-party computations. Here I investigate 
directly the security of one-sided two-party computation without using the formal standard 
reduction. My main result is that one-sided quantum two party secure computation is al- 
ways impossible.^] (For its definition, see Section 2.) That is to say that, as far as one-sided 
two-party computations are concerned, quantum cryptography is absolutely useless. As a 
corollary, the so-called quantum one-out-of-two oblivious transfer is also impossible. I also 
present a class of functions that cannot be computed in any two-sided two-party computa- 
tion. Nevertheless, quantum cryptography remains useful for key distribution and can still 
provide partial security in "quantum money" proposed by Wiesner. 



II. IDEAL ONE-SIDED TWO-PARTY SECURE COMPUTATION 

A. Definition and Security Requirements 

Suppose Alice has a private (i.e., secret) input i G {1, 2, • • • , n} and Bob has a private 
input j G {1,2, ■■■,m}. An ideal one-sided two party secure computation is defined as 
follows: Alice helps Bob to compute a prescribed function f(i,j) G {1, 2, • ■ ■ ,p} in such a 
way that at the end of the protocol, 

(a) Bob learns f(i,j) unambiguously, 

(b) Alice learns nothing (about j or f(i,j)), 



According to Kilian, such functions do exist. 

7 Remarkably, an alternative proof of the impossibility of ideal quantum one-sided two party 
computation can be made by generalizing Wiesner's Q early insight on the impossibility of one- 
way scheme for so-called one-out-of-two oblivious transfer and combining it with the idea of the 
proof of the impossibility of quantum bit commitment. I omit this alternative proof here because 
it is not transparent at all. 
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and 

(c) Bob knows nothing about % more than what logically follows from the values of j and 
f(i,j). 

Notice that, for a one-sided two-party computation protocol to be secure, Bob is supposed 
to input a particular value of j and to learn the value of f(i,j) for that particular value of 
j only. I will show that these three security requirements (a), (b) and (c) are incompatible 
in the following manner: Assuming that the first two security requirements (a) and (b) are 
satisfied, I will work out a cheating strategy for Bob which would allow him to learn the 
values of f(i,j) for all j's, thus violating security requirement (c).0 I, therefore, conclude 
that ideal quantum one-sided two-party computations are impossible. In Section 4, I will 
generalize this result to non-ideal protocols (which may violate security requirements (a) 
and (b) slightly). 

B. Bob's cheating strategy 

Consider the following cheating strategy by Bob who determines the values of 
f(i,ji), f(i,j2), ■ ■ ■ , fihjm) successively: Bob first inputs a value j\ for j and goes through 
the protocol. At the end of the protocol, he determines the value of f(i,ji). He then applies 
a unitary transformation to change the value of j from ji to 22 and determines f(i, j'2). After 
that, Bob applies a unitary transformation to change j from j'2 to j'3 and determines f(i, js) 
and so on. 



In other words, instead of the ideal one-sided two-party secure computation protocol, quantum 
cryptography gives only a protocol that allows Bob to learn f(i,j) for all fs. Such a protocol is 
uninteresting as it can be achieved in classical cryptography simply by having Alice tell Bob those 
values. Therefore, quantum cryptography provides no real advantage in this ideal case. 
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C. Key Points of the Proof 



The above cheating strategy by Bob works for two reasons. First, using the insight gained 
from the impossibility of quantum bit commitment |20|-23|, in Subsection 3B I will prove the 



following: The security requirement (b) — that Alice knows nothing about j — implies that at 
the end of the protocol, Bob can cheat by changing the value of j from ji to j 2 by applying 
a unitary transformation to his own quantum machine.^ Consequently, Bob can determine 
the value of f(i, j'2) instead of f(i,ji), as long as he has not measured f(i,ji) yet. Of course, 
Bob would like to learn f(i,ji) and he does measure f(i,ji) before rotating ji to j 2 - At first 
sight, this seems to be a problem because measurements in quantum mechanics generally 
disturb a signal. Here comes the second point. Measurement of f{i,ji) does not disturb 
Bob's state at all for the following reason. Since, by the security requirement (a) of an ideal 
protocol, Bob can input j = y\ and learn the value of f(i,ji) unambiguously, the density 
matrix that Bob has must be an eigenstate of the measurement operator that he uses for 
determining f(i,ji). Being an eigenstate, the density matrix is, therefore, undisturbed by 
Bob's measurement. QED 

In effect, I am arguing that the density matrix Bob has is a simultaneous eigenstate of 
the measurement operators f(i,ji), f(i, 32), ■ ■ ■ , f(i,j m ). See Subsection 3B. 

III. DETAILS OF THE PROOF 

A. Unitary description 

Let me present my result in more detail. It is convenient to use a unitary description 
of two-party computation |2l|j23[] . Let Ha {Hb respectively) denote the Hilbert space of 



Alice's (Bob's) quantum machine. Imagine a two-party computation in which both Alice 
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The impossibility of quantum bit commitment 2C-23 essentially states that if Alice does not 



know something, then Bob can change it. The commitment made by Bob is, therefore, fake. 

8 



and Bob possess quantum computers and quantum storage devices. By maintaining the 
quantum coherence of the composite quantum system, Ha <S> Hb, (using external control 
such as classical computers, assembling of quantum gate arrays, quantum error correction 
and fault-tolerant quantum computation) one can avoid dealing with the collapse of the 
wavefunction. Alice and Bob's actions on their quantum machines can be summarized^ as 
an overall unitary transformation U applied to the initial state \u)i n G H A <8> Hb- i-e., 

\u) f in = U\u) in . (1) 

The unitary transformation, U, is known to both Alice and Bob because they know the 
procedure of the protocol. When both parties are honest, \u h ) in = \i)a ® \j)b an d 

\u h ) fm = Ki) =U{\i) A ®\j) B ). (2) 

Therefore, the density matrix that Bob has at the end of protocol is simply 

p l ' J = Tr A \v ij )(v ij \. (3) 



B. Changing j from j\ to j2 

I asserted in the last section that, owing to the security requirement (b), at the end of the 
protocol Bob can change the value of j from j\ to ]2 by applying a unitary transformation 
to the state of his quantum machine. Since the value of Alice's input i is unknown to Bob, 



10 For the basic idea, see [21]. For detailed justification with a concrete model (a variant of Yao's 
model [fig] ) see ]p3f] . Of course, in reality the execution of the protocol may not require quantum 
computers. This is, however, equivalent to a situation when the parties do not make full use of 
their quantum computers. If one can show that a cheater can cheat successfully against an honest 
party who has a quantum computer, clearly the cheater can cheat successfully against one without. 
Therefore, a unitary description is very useful for my purposes. 
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for such a cheating strategy to work, I need to prove that this unitary transformation can 
be chosen to be independent of the value of z0: 

Assertion: Given ji,j2 £ {1, 2, • ■ ■ , m}, there exists a unitary transformation W 1 ^ 2 such 
that 

for all i. 

Proof. Notice that Bob must allow Alice to choose the value of her input, i, randomly. 
But then a dishonest Alice may try to learn about j by an EPR-type of attack, i.e., she 
entangles the state of her quantum machine A with her quantum dice D and prepares the 
initial state 

1 El^®l 1 )^ ( 5 ) 



(Recall that n is the cardinality of i.) Instead of measuring the state of her quantum dice 
D honestly, she may keep D for herself and use the second register, A, to execute the two 
party protocol honestly from this point on. Suppose Bob's input is j\. The initial state is, 
therefore, 

W)in = -^=Y\ i )D®\ i )A®\jl)B- (6) 



n 



At the end of the protocol, it follows from Eqs. (|]) and that the total wave function of 
the combined system D, A and B is described by 



11 Using the idea of the impossibility of bit commitment |2C-23[, it is trivial to prove that, for each 
i, a unitary transformation U l ' n ' J2 that rotates j from j% to ji exists. What is less trivial to prove 
is the existence of a unitary transformation U 31 ^ 2 which works for all i's simultaneously. I thank 
D. Mayers for enlightening discussions. 

Actually, Bob can choose his unitary transformation according to the outcome of his measurement. 
This observation will be useful in later discussion just before Corollary A in the next Section. 
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h'i> = ~r E 1^ ® ^ (I*)* ® biM • ( ? ) 

Similarly, if Bob's input is j 2 instead, the total wavefunction at the end of the protocol will 
be 

M = -7= E K)^ ® ^ ® Ij'2>b) • (s) 

V n i 

An ideal protocol should prevent such a dishonest Alice from learning anything about j. 
Therefore, the reduced density matrices in Alice's hand for the two cases j = j\ and j = j 2 
must be the same, i.e., 

pf ce = TrsKX^nl = Tr B \v j2 )(v j2 \ = P f ce . (9) 

Equivalently, the two wavefunctions, \vj^) and \vj 2 ) have the same Schmidt decomposition 
g§. i.e., 



fc 

and 



n) = E a fcl a fc)^ ® |/5fe>s (10) 



) = X)a fc |a fc ) jl o® I^*)b- ( n ) 



y J2 



Here |o:&)ad, |/3fe) s and are eigenvectors of the corresponding density matrices and 

satisfy (ak>\ack)AD = 5k,k', etc. Notice that Eqs. (|T0D and ([□]) contain the same factors 
and \ak)AD arid the only difference lies in the state of Bob's quantum machine, B. Now, 
consider the unitary transformation W 1 ^ 2 that rotates \(3k)B to \/3' k )B- Notice that it acts 
on H B alone and yet, as can be seen from Eqs. ( |10|) and (|TT|) , it rotates \vj^) to \vj 2 ). i.e., 

\v J2 ) = U^\v n ). (12) 

Since 

D {i\vj) = -i=|%) (13) 



(see Eqs. (||), (0) and (||)), by multiplying Eq. (0) by on the left, one finds that 
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K' 2 ) = U^\v ih ). (14) 

As one is interested in Bob's reduced density matrix, one takes the trace of \vij 2 )(vij 2 \ over 
Ha and uses Eq. (|14|) to obtain Eq. @). This completes the proof of my assertion, Eq. (|]). 

The implication of Eq. (|j) is profound. Independent of the value of Alice's private input, 
i, at the end of the protocol Bob can change the value of his own input j simply by applying 
a unitary transformation to his own quantum machine.0 Therefore, the index j in Bob's 
density matrix p 1 ^ is redundant in the sense that different values of j simply correspond to 
representing the density matrix p % in different bases. 

With such a simplification, one can essentially argue that p % is a simultaneous eigenstate 
of f(i, ji), f(i, J2), ■ ■ ■ , f(i, j m ) in the following manner: With an input ji, Bob can learn 
f(i,ji). This implies that p l is an eigenstate of f(i,ji). But Bob can cheat by changing 
the value of j from ji to j'2 i n the last minute to learn /(i, j'2) instead. This means that 
p l is also an eigenstate of /(i, j 2 ) • By repeating this argument, one sees clearly that p % 
is a simultaneous eigenstate of all the measuring operators for f(i,ji), f(i, J2), • • • , f(hj m )- 
Consequently, Bob can learn the values of f{i,j) for all values of j simultaneously. This is 
why the cheating strategy that I describe in Subsection 2B works. In the next Section, I 
will generalize this attack to non-ideal protocols. 



IV. NON-IDEAL PROTOCOLS 



A general non-ideal protocol may violate the security requirements (a) and (b) slightly. In 
relaxing (b), one would expect that the unitary transformations that Bob uses for changing 
j from ji to ji + i to be imperfect. In relaxing (a), the density matrix that Bob has at the end 



A similar idea is used in the proof of the impossibility of bit commitment [pQ-23]. That Alice 
knows nothing about Bob's chosen bit automatically implies that Bob can cheat successfully by 
applying a unitary transformation to change the value of the bit even after the completion of the 
commitment phase. Thus, the commitment is fake. 
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of the protocol will now be slightly different from an eigenstate of the measurement operator 
that he uses. (This is because Bob will generally be unable to determine the value of f(i,ji) 
unambiguously in non-ideal protocols.) Nonetheless, so long as the deviation from idealness 
is small, one would expect Bob to learn a substantial amount of information about f(i, j'2) 
even after his honest determination of f(i,ji)- That Bob can learn something about both 
f(i,ji) and f(i, j'2) is already a serious violation of the security requirement (c) and there is 
no need for one to consider the security for f{i,js), etc. In other words, one would expect 
that, for essentially the same reason as the ideal protocol, even non-ideal quantum one-sided 
two-party computations are impossible. In what follows, I prove that this is indeed the case. 
Readers who are uninterested in technical details may skip the following and go directly to 
Subsection A. 

More concretely, let me relax security requirement (b) to allow Alice to have a small 
probability to distinguish between different j's. I mimic the proof of Eq. (|4]). As before, 
consider a dishonest Alice who tries to learn about j by preparing an illegal initial state 
77^ J2i K)d ® \i)a where n is the cardinality of i. She keeps the first register, D, for herself 
and uses the second register, A, to execute the two party protocol honestly from this point 
on. Unlike the ideal case, Eq. (|S|) is violated for non-ideal protocols, i.e., pf^ tce 7^ pf^ ce . 
Nonetheless, so long as the probability for Alice to distinguish successfully between the two 
cases remains small, the two density matrices pf^ lce and pf^ lce must in some sense be close 
to each other. 

Mathematically, the closeness between two density matrices p and p' of a system S can 
be described by the fidelity (See also Ref. p7[] .) Imagine another system E attached to 
a given system S. There are many pure states and on the composite system that 
satisfy 

TM|V)M)=P and Tr^d^'X^I) = p'- (15) 

The pure states \ip) and are called the purifications of the density matrices p and p' . 
The fidelity F(p, p') can be defined as 
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F(p,p') = maxKiplip')] 



(16) 



where the maximization is over all possible purifications. I remark thatQ for any fixed 
purification if) of p, there exists a maximally parallel purification ip' of p' that satisfies Eq. 
(0). Notice that < F < 1 and F = 1 if and only if p = p' . 

Returning to the discussion on non-ideal protocols, the condition that the two density 
matrices pf^ lce and pf^ tce be close to each other can be specified by the mathematical state- 



ment that the fidelity F(p^ ice , pf 2 lce ) is close to 1. Say 



Ft Alice Alices ^ i x 
[P h ,P h )>l-5 



(17) 



where 8 <C It follows from the definition of fidelity in Eq. ( |i~6"D that there exists a 
unitary transformation £P lj2 acting on Hb alone0 such that 



>l-5. 



(18) 



Since (from Eqs. (@), (0) and (§) ) \ Vj ) = ^ E< \i) ® 1%), 



(^ 2 l^ lj2 |^i) 



1 

n 



E(%- 2 l^' lj2 l^) 



> 1-5. 



(19) 



Now 



Y,\(vin\U^\v ih ) 



> 



n 



>l-5. 



(20) 



For a protocol to be one-sided, one requires i5 C 1. Let me consider the two cases: (A) 
and (B) 8 <C 1 z< n8 separately. 



13 I thank R. Jozsa for a discussion about this point. 

14 One might imagine a situation when Alice has been informed by her spy that Bob's input is 
either j% or In this case, her task is to distinguish between these two remaining possibilities. 
To prevent Alice from succeeding, it is crucial that Eq. ([l7| ) holds. 

15 A similar idea was used by Mayers [20 in the discussion of non-ideal bit commitment schemes. 
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Case (A): n5 < 1. 

It is a common requirement in computer science that n5 <C 1. In this case, for each i, 

v ij2 \U^ j2 \ Vijl )\ > l-n5 (21) 

is still close to 1. I now come to the relaxation of security requirement (a). Bob still chooses 
a j say j\ and performs a measurement on his quantum state in order to learn the value 
of f{i,ji). However, for a non-ideal protocol, Bob's measurement result will not give him 
full information on f(i,ji). Nonetheless, for a protocol that is only slightly non-ideal, one 
may demand that, for each i, Bob's ignorance about f{i,ji) after his measurement would 
be much less than one bit. That is to say that Bob's measurement can extract the value of 
f(i,ji) from the density matrix with a probability close to 1. Therefore, can be 
made to be almost an eigenstate of Bob's measurement and thus the disturbance caused by 
such measurement is small. Consequently, one must have 



F^p i,jl ,£ > 1-e 



(22) 



where t «1 and £ is a linear operator (the so-called super-operator [f29]]) which represents 
the action of the (imperfect) measurement of f(i,ji) by Bob. Since fidelity is preserved by 
unitary transformations, one finds that 

F (^jh,h p i,h [jjh^y 1 ; U n,j2 S f^ p i,h^ (u jl > j2 )j > 1 - e. (23) 

From Eqs. (|21|) and (^3|), one deduces^ that 

p(u n ' j2 S (V J1 ) (U h ' j2 )~ l , > 1 - 0(n5) -0(e). (24) 

Now the high fidelity of Eq. (^) implies that Bob's cheating strategy — of determining 
f(i, ji) approximately first, applying a rotation to his state to change j from ji to and then 
determining f(i, j 2 ) — will allow him to defeat the security requirement (c) of the protocol 



16 This follows from the fact that the fidelity is closely related [28 to the Bures metric. 
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by learning substantial information about f{i,j2)- Therefore, even non-ideal protocols are 
unsafe if n5 <C 1. 

Case (B): 5 <£l±n5. 

I now separate the discussion further into two cases: 'typical' and 'atypical' functions. A 
'typical' function f(i,j) is defined to be such that, even if the value of f(i, j 2 ) is determined 
inaccurately by Bob for a small fraction say 1/10 of the z's, Bob can still gain a considerable 
amount of information about the value %. With such a definition, I now argue that, for 
a typical function, the assumption 5 <C 1 necessarily leads to a fatal violation of security 
requirement (c), thus showing the insecurity of non-ideal protocols. My point is the following: 
Since each of the n terms, |(% 2 |^ 1,: ' 2 I%i)Ij i n Eq. (pOD has a value less than or equal to 1, 
Eq. ( p0|) implies that, for at least nine out of ten of the z's, the following is true: 

> 1 - 105. (25) 

Since I am interested in Bob's density matrix, I take the trace over Alice's quantum machine 
A and find that for each of those z's, 

F (u juj2 p iJl {U jl ' j2 y l , p ij A > 1 - 105. (26) 

In relaxing the security requirement (a), Eqs. ( p2|) and ([23|) are still valid. Combining 
Eqs. ( p3|) with (|26|) , one finds that for at least nine out of ten of the possible z's to be chosen 
by Alice, 

F ^jn,n S (piji^ (yh&y 1 ? p i,h^j > 1 _ O (108) - 0(e). (27) 

Hence, Bob can determine the value of f(i, j'2) with high accuracy at least nine out of ten 
times. Since the function is assumed to be typical, this implies that Bob can get substantial 
amount of information about the value of i. Consequently, the non-ideal protocol is insecure. 

What about the case of 'atypical' functions? An example of 'atypical' functions is 
f(i,j) = 1 if i = j and f(i,j) = otherwise (as in quantum one-way oblivious identifi- 
cation in Corollary 2). For those functions, it might be fatal if there exists a single i such 
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(v m \U^\v in ) 



that | (vij^U^'^lvij^l is close to 0. In the above example, if | (% 2 \U^ 2 \vij x ) \ = for i = j 2 , it 
might be the case that a cheating Bob (after determining f(i,ji) honestly) finds /(i, J2) — 
for all values of i. Therefore, Bob gains no information about the value of i despite the high 
fidelity in Eq. 

I now argue that even atypical functions cannot be computed securely in non-ideal one- 
sided secure computations whenever 5 <C 1. It is easiest to understand my reasoning by 
working with an example. (I will present the general case in two paragraphs below.) Consider 
a situation in which a cheating Alice prepares an unequally weighted (i.e., non-maximally 
entangled) state instead of an equally weighted (i.e., maximally entangled) state in Eq. @. 
For the function discussed above (f(i,j) = 1 if i = j and f(i,j) = otherwise), suppose 
a cheating Alice prepares the state 4s|j2)d ® {32) A H — Yl&i, V)d <S> \i) a in her EPR 

V2 A/2(n— 1) ' J 

attack (instead of Eq. (|])). Since Alice is not supposed to learn much about Bob's input j, 
one must still have F (p^ lce , p^ lce ) > 1 — 5. This now implies that 

(v hj2 \U jl ' h \v j2jl )\>l- 26, (28) 

and 

^Y.\^n\U n ' n K 1 )\>l- 25. (29) 

Notice that the various z's fall into two classes (For i = j 2 , f(i, j'2) = 1- Foy i 7^ jii 
fihji) — 0.) which are to be distinguished by Bob. Eq. (p8|) ensures that Bob will find 
the value of /(j'2, 32) to be 1 with high probability. Similarly, Eq. (p9|) ensures that Bob 
finds that f{i,j2) to be zero with a high probability whenever i 7^ j 2 . Therefore, Bob 
can determine with some confidence whether i = j 2 and it is clear that, for this particular 
example of f{i,j), even a non-ideal one-sided secure computation is impossible. 

Are secure one-sided computations impossible for all functions? I now prove rigorously 
that they are impossible for the case e = in Eq. (0). The discussion for the case e / 
will be postponed to the very end of this paragraph. When e = 0, Bob determines the 
value of f(i,j\) accurately with certainty. Suppose he finds f(i,ji) to be c. He can restrict 
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his attention to the set, S, of z's that satisfy this constraint. If, for all pairs G S, 
f(i,j) = f{i',j) for all j's, then Bob has nothing to gain in learning the value of f(i, j'2). 
Suppose the contrary. Then there exists a j say j'2 such that f(i, J2) is not a constant 
function in S. Let me partition the set S further into two or more subsets S^'s according 
to the value of f{i,j2}. Imagine a cheating Alice prepares a state J2k [sJi/2 ^2ies k K) ® 
Notice also that, with the above normalization factor ^ s | 1/2 , each set S/~ in the partition is 
assigned equal weight by Alice. (Here we ignore the obvious overall normalization factor.) 
Such an assignment of weights maximizes the information gain by Bob in performing his 
measurement. It is then easy to see that so long as 5 <C 1, Bob can determine with some 
confidence to which set % belongs. This seriously violates the security requirement (c). In 
conclusion, I have shown rigorously that secure one-sided computations are always impossible 
for any function when e = 0. What about the general case when e ^ 0? Since there is no 
obvious singularity in the problem, provided that e is sufficiently small, one-sided two-party 
secure computations should remain impossible. 

Notice that in the above proof, I allow Bob's choice of the unitary transformation to be 
dependent on the value f(i,ji) that he has obtained. This is perfectly all right. 

Finally, I remark that it is a matter of definition that a one-sided protocol must have 
5 <C 1 in Eq. fllTD . This is because a protocol with 5 of order 1 in Eq. fll7D is two-sided 
rather than one-sided. For discussions on two-sided protocols, see next Section. 

A. Corollaries 

Definition: One- out- of -two oblivious transfer is an example of one-sided two party secure 
computation in which the sender sends two messages and the receiver chooses to receive 
either message but cannot read both. Besides, the sender, Alice, should not learn which 
message is read by the receiver, Bob. More precisely, Alice's input, i, is a pair of messages, 
(mo, mi) and Bob's input, j, is a bit or 1. At the end of the protocol, Bob learns about the 
message rrij, but not the other message rrij. i.e., f(m ,mi,j = 0) = m and f(m ,mx,j = 
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1) = mi. 

Corollary 1: Quantum one-out-of-two oblivious transfer is impossible. 

Remark: As noted in the introduction, one-out-of-two oblivious transfer is an important 
primitive for building up secure computations. The impossibility of one-out-of-two oblivious 
transfer itself is a major setback to quantum cryptography. Also, this corollary is a general- 
ization of Wiesner's insight f|| which showed that it is impossible to achieve ideal quantum 
one-out-of-two oblivious transfer using only one-way communications. 

Incidentally, there have been claims that quantum cryptography is useful for one-way 



oblivious identification [|14],|]1|. Such a protocol would allow the first user Alice to identify 
herself in front of a second user, Bob, by means of a password, known only to both. The 
safety requirement is that somebody, ignorant of the password, impersonating Bob shall 
not be able to obtain much information on the password from the identification process. 
One-way oblivious identification is an example of one-sided two-party secure computation 
in which the prescribed function f(i,j) = 1 if % = j and f(i,j) = otherwise. In other 
words, f{i,j) gives a yes/no answer to the question whether the two persons have the same 
password. Such oblivious identification scheme is, therefore, very useful for preventing frauds 
from typing PIN (Personal Identificaton Number) to a dishonest teller machine that steals 
passwords. 

Corollary 2: Quantum one-way oblivious identification is impossible. 

Remark. This result applies only to one-sided schemes for quantum oblivious identifica- 
tion, a subject that earlier papers f!4| , |15| have focused on and wrongly claimed to achieve. 
However, one should note that in practical applications, assumption (b) in Section 2 can 
be relaxed. For example, it is conceivable that one can allow the customer, Alice, to learn 
substantial information about the input of Bob (the cash machine). When Bob finds out 
in the computation that someone is disguising herself as Alice (the answer is 'no' in the 
computation), he can cancel Alice's password and ask Alice to go to the bank in person to 
get a new password. Such a protocol is much less powerful than what the original protocols 
intend to achieve, but it is still somewhat useful. Also notice that the possibility of two-sided 

19 



schemes for oblivious identification remains open. However, the following Section shows that 
there exists a class of functions that cannot be computed securely in any two-sided two-party 
secure computation. 

V. SECURITY OF TWO-SIDED TWO-PARTY COMPUTATIONS 

Definition: Suppose Alice has a private input % and Bob a private input j. A two-sided 
two-party secure computation of a prescribed function f(i,j) is a protocol such that at the 
end, 

(a) both Alice and Bob learn f(i,j), 

(b) Alice learns nothing about j more than what logically follows from f(i,j) and her 
private input i, and 

(c) Bob learns nothing about i more than what logically follows from f(i,j) and his 
private input j. 

Notice that in classical cryptography, a one-sided two-party computation of a func- 
tion f(i,j) can be reduced to a two-sided two-party computation of a function F(i,j,r) = 
f(i,j) XOR r where r is a random string of input chosen by Bob and the XOR is taken 
bitwise. [j At the end of the protocol, both Alice and Bob learn F(i,j,r). While Bob can 
invert the function to find f{i,j) = F(i,j, r) XOR r, Alice, being ignorant of Bob's input 
r, has absolutely no information about f(i,j). 

Here I demonstrate explicitly that the quantum two-sided two-party computation of 
F(i,j,r) is insecure. Alice's density matrix at the end of the protocol should only be a 
function of % and F(i,j,r). This is because F(i,j,r) is the only piece of information that 
Alice is supposed to know about Bob's inputs j and r. Let me therefore denote Alice's 
density matrix by pfule^- Suppose a dishonest Bob inputs \ji) ® J2 r \ r ) ® \ t )d an d he 
keeps the system D for himself. (Here p is the cardinality of f(i, j), as f(i, j) G {1, 2, • • • , p}.) 



I thank R. Cleve for enlightening discussions about this point. 
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In other words, he entangles the state of r with a quantum dice D and performs an EPR- 
type of cheating. Suppose further that a honest Alice inputs i. The density matrix that 
Alice has at the end of the protocol will simply be a normalized direct sum, i £)r Pmce^i 
of the individual density matrices. For any fixed but arbitrary j, as r changes, F(i,j, r) runs 
over all the p values, {1, 2, • • • ,p}. (Recall that F(i,j, r) = f(i,j) XOR r.) Consequently, 
p J2r PMioR 1 '^ = Pmce 2 '^ ■ Le -' Alice's density matrix is independent of the value of j. 
But then by precisely the same attack as in the one-sided case — by determining the value 
of f(i,ji), changing j from ji to j'2 by a unitary transformation, determining the value of 
f(i, j<i) and so on, Bob can determine the value of f(i,j) for all values of j. This violates 
the security requirement (c) for the two-sided protocol. In conclusion, there are functions, 
namely F(i,ji,r) = f(i,j) XOR r, that cannot be computed securely by any two-sided 
protocol. 

VI. SUMMARIES AND DISCUSSIONS 

This paper deals with the applications of quantum cryptography in the protection of pri- 
vate information during public decision (rather than with the most well-known application- 
so-called quantum key distribution). As an important example, in a one-sided two-party 
secure computation, one party Alice has a private input, i, and the other party Bob who 
has a private input, j. Alice helps Bob to compute a prescribed function f(i,j) in such a 
way that at the end of the protocol, 

(a) Bob learns f(i,j), 

(b) Alice learns nothing (or almost nothing) about j, 
and 

(c) Bob knows nothing about i more than what logically follows from the value of j and 
f(i,j). 

(For example, in password identification f(i,j) = 1 if % = j and = otherwise.) Notice 
that Bob is supposed to choose a j (say ji) and learn f(i,j) for that particular value of j 
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only. However, I prove that quantum one-sided two-party computation is always insecure 
because Bob can learn f(i,j) for all values of j. In the cheating strategy that I consider, 
Bob determines the values of f(i,j) for the various values of j's successively.^ That is to 
say that Bob inputs j = ji, determines the value of f(i,jx), changes j to j% and determines 
f(i, j 2 ) and so on. 

Such a cheating strategy works for two reasons. For simplicity, let me first consider the 
ideal protocol. Let Bob input j = j\ initially. Using the insight from the impossibility of 
bit commitment p0|-|23[|, I prove that, owing to the security requirement (b), Bob can cheat 
at the end of the protocol by changing the value of j from ji to Thus he can determine 
the value of /(i, J2) instead of f(i,ji) as long as he has not performed a measurement to 
determine f(i,ji) yet. Of course, Bob is interested in learning f(i,ji) as well. So, he must 
first measure the value of f{i,ji) before rotating j from j\ to ji- If I can show that his 
measurement of f(i,ji) does not disturb the quantum state he possesses, it is clear that this 
cheating strategy will work. This is precisely what I do: Since in an ideal protocol with an 
input j = ji, Bob can unambiguously determine the value of f(i,ji) (security requirement 
(a)), the density matrix that Bob has must be an eigenstate of the measurement operator 
that he uses. Consequently, he can measure the value of f{i,jx) without disturbing the 
quantum state of the signal at all! (Notice that, in effect, I have shown that owing to 
the security requirements (a) and (b), the density matrix that Bob has is a simultaneous 
eigenstate of f(i,ji), f(i, J2), • • • , f(hjm)- This contradicts security requirement (c).) 

These two points taken together mean that this cheating strategy beats an ideal protocol 
for one-sided two-party computation.^ In Section 4, I generalize my result to show that a 



See footnote 8. 

19 As discussed in the introduction, one may also use the classical reduction theorem from bit 
commitment to one-out-of-two oblivious transfer to argue the impossibility of quantum one-sided 
two-party computations. Such proof is, however, not transparent at all. Yet another alternative 
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similar attack defeats non-ideal protocols as well. In conclusion, I have shown that quantum 
one-sided two-party secure computation (ideal or non-ideal) is always impossible. 

As corollaries to my results, contrary to popular belief in earlier literature, quantum 
one-out-of-two oblivious transfer and one-way oblivious identification are also impossible. 
I remark that the reduction theorem in classical cryptography can be used to show that 
quantum (ordinary) oblivious transfer is impossible. In future, it would be interesting to 
work out a direct attack that defeats quantum oblivious transfer. 

Since a one-sided two-party computation of a function can be reduced to a two-sided 
two-party computation of a related function, there are functions that cannot be computed 
securely in two-sided two-party computations as well. Can any function be computed se- 
curely in a quantum two-sided two-party computation? While I do not have a definite an- 
swer, the argument for impossibility of ideal quantum coin tossing |23| can be used to prove 
the impossibility of ideal two-sided two-party secure computation (and also ideal so-called 
zero-knowledge proof). Furthermore, Section 4 of Ref. []23| shows that quantum two-sided 
two-party secure computation can never be done efficiently^ In conclusion, these results rule 



proof of the insecurity of ideal quantum one-sided two-party computation can be made by combining 
the idea of the proof of the impossibility of quantum bit commitment with a generalization of 
Wiesner's early insight Q on the insecurity of a subclass of quantum one-out-of-two oblivious 
transfer schemes. Such proof is, however, non-constructive and does not apply directly to non- 
ideal protocols. I shall, therefore, omit it here. 

20 Let me normalize everything so that Alice and Bob both learn one bit of information from 
executing a two-sided two-party computation. If both parties are shameless enough to stop running 
the protocol whenever one of them has an amount of information that is e greater than his/her 



opponent, it is easy to show 23] that the number N of rounds of communications needed for the 
protocol to be successful has to satisfy iVe > 1. An exponentially small e requires an exponentially 
large N and the scheme is necessarily inefficient. 
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out the prefect or nearly perfect protection of private information in one-sided two-party 
computations by quantum mechanics. The security of the quantum two-sided two-party 
computation is also shown to be in very serious trouble. 

In retrospect, there were good reasons for the reexamination of the foundations of quan- 
tum cryptographic protocols such as secure computation: While the security of quantum 
key distribution can intuitively be attributed to the quantum no-cloning theorem, no simple 
physical reason has ever been given to the security of other quantum cryptographic protocols 
such as bit commitment. This is a highly unsatisfactory situation. Besides, most proposed 
quantum protocols are inefficient. From both theoretical and practical points of view, a more 
fundamental understanding of the issues of security and efficiency of those protocols would 
therefore be most welcome. In the claimed "secure" quantum bit commitment protocol |16| . 
researchers have implicitly assumed that measurements are made by the two parties. What 
I have shown is that by using a quantum computer and performing an EPR-type of attack, 
the party, Bob, can defeat the security requirement of the protocol. This is remarkable 
because the basic idea of the EPR attack can be found in the pioneering papers The 
sky has fallen because its foundation has been shaky. 

I emphasize that the cheating strategy proposed in this paper generally requires a quan- 
tum computer to implement. Before a quantum computer is ever built, quantum one-sided 
two-party secure computations may still be secure in practice. Besides, apart from quantum 
key distribution (which is perfectly secure), partial security provided by applications such 
as quantum money may still be very useful. 

On the positive side, the impossibility of quantum one-sided two-party computation to- 
gether with the impossibility of quantum bit commitment |20|-f2~3|j constitute a major victory 



of cryptanalysis against quantum cryptography. On one hand, quantum key distribution 
is secure because heuristically of the quantum no-cloning theorem. On the other hand, 
quantum bit commitment and quantum one-sided two-party computation are impossible 
essentially because of the EPR paradox. Therefore, there are now solid foundations to both 
quantum cryptography and quantum cryptanalysis — the two sides of the coin in quantum 
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cryptology. A key question remains as to the exact boundary to the power of quantum 
cryptography. For instance, what is the power of quantum cryptography in providing par- 
tial security in applications such as quantum money? Perhaps, new physical insights can be 
gained in the attempts to answer this question. 
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